Welcome!

Dangers of mounting docker.sock

This scenario introduces the potential security concerns around docker.sock and what you need to be aware of when providing access to the file in containers.

Congratulations!

You've completed the scenario!

Scenario Rating

In this scenario, we explored the potential problems if an attacker gets access to the docker.sock file. Once they have access they have complete control over the host, allowing them to perform privilege escalation and launch privileged containers to gain additional access than the original container.

Steps

Dangers of mounting docker.sock

Step1 of 4

Mounting docker.sock

Containers use the docker.sock file as a way to communicate with the host Docker daemon. Accessing the daemon is used as a way to listen to Docker events, for example, when containers start/stop, to update application configuration. A popular framework using this is nginx-proxy which serves as a load balancer for containers.

Mounting the file is done via the volume flag, for example -v /var/run/docker.sock:/var/run/docker.sock

However, you need to be careful of what images you trust with this file which we'll explore in the next step.

Cute Kittens

Docker Images on the public registry cannot always be trusted. While they may promise to do one thing unless you spend time to explore the entire image they might have hidden gems designed for malicious activity.

Let's take the image benhall/cute-kittens. This image promises to deliver cute kittens via a Docker Container. Sounds great, so let's run it.

docker run benhall/cute-kittens

Images taking advantage of docker.sock

The container gave us an error saying that it requires the docker.sock file to launch. As we are keen to run the image, we'll just provide the file:

However, instead of having the behaviour it expected, it launched a privilege sub-container and performs a ls /dev. The ls command outputs all the devices on the host OS. The container has complete access to these devices.

You can see the results of the additional container being launched by running docker ps -a

If cute-kittens were more malicious, it could have wiped out our entire host.

Read only access to docker.sock

With Docker and volumes you can define permissions to stop users writing files. However, because the Docker access doesn't override the file, these permissions do not protect you from additional containers being launched.

For example, we're defined that our sock is only read-only, but it will still have the same result.

Debugging Scenarios

Help

Katacoda offerings an Interactive Learning Environment for Developers. This course uses a command line and a pre-configured sandboxed environment for you to use. Below are useful commands when working with the environment.

cd <directory>

Change directory

ls

List directory

echo 'contents' > <file>

Write contents to a file

cat <file>

Output contents of file

Vim

In the case of certain exercises you will be required to edit files or text. The best approach is with Vim. Vim has two different modes, one for entering commands (Command Mode) and the other for entering text (Insert Mode). You need to switch between these two modes based on what you want to do. The basic commands are: